Professional Documents
Culture Documents
Chapter 05 Annex A Controls Basics and Accounting Information Systems
Chapter 05 Annex A Controls Basics and Accounting Information Systems
Chapter 05 Annex A Controls Basics and Accounting Information Systems
Accounting Information
Systems
Accounting Information Systems
Why Threats to Accounting Information
System are Increasing?
The control implications of
Many companies do not realize
Some companies view the loss moving from centralized
that information is a strategic
of information system as a computer systems to Internet-
resource and that protecting it
distant unlikely threat. based systems are not fully
must be a strategic requirement.
understood.
Internal Controls
Important Functions of Internal
Controls
Corrective controls –
Preventive controls – Detective controls -
identify and correct
deter problems before discover problems that
problems that are not
they arise. are not prevented.
prevented.
Categories of Controls
Application Controls prevent, detect, and correct transaction errors and fraud
in application programs. They are concerned with accuracy, completeness,
validity, and authorization of data captured, entered, processed, stored,
transmitted to other systems, and reported.
A belief system describes how the company creates value,
helps employees understand management’s vision,
communicates core values, and helps inspire employees to
Levels of live by those values.
Public Company Accounting Oversight New rules for audit committees as the
New rules for auditors which includes
Board was created to control the auditing members must be a part of the board of
specific information to the company’s
profession and enforces auditing quality directors and must be independent of the
audit committee, such as information
control, ethics, independence, and company. One member should be a
systems design and implementation.
auditing standards. financial expert.
After SOX is
passed, SEC Disclose all material internal control
weakness.
mandates the
management to:
Conclude that a company does not
have effective financial reporting
internal controls if there are material
weaknesses.
COBIT Framework
• A security and control framework that allows (1)
management to benchmark the security and
control practices of IT environments, (2) users of
IT services to be assured that adequate security
and control exist, and (3) auditors to substantiate
their internal control opinions and advice on IT
security and control matters.
Meeting Meeting Stakeholder’s Needs.
SECURITY
PRINCIPLES OF Applying Applying a single, integrated framework.
GOVERNANCE
Separating Separating governance from management.
COBIT 5 Governance
and Management Key
Areas
COSO Internal Control Framework
Compensating, Managing
Hiring Evaluating and Training Disgruntled
Promoting employees
Confidentiality
Prosecute and
Vacations and Agreements and
Discharging Incarcerate
Rotation of Duties Fidelity Bond
Perpetrators
Insurance
Objective Setting
Strategic Objectives are high-level goals that are aligned with the company’s mission, support it, and
create shareholder value.
Operations Objectives deals with the effectiveness and efficiency of a company operations and
determine how to allocate resources.
Reporting Objectives helps ensure the accuracy, completeness, and reliability of company reports;
improve decision making; and monitor company activities and performance.
Compliance objectives helps help the company comply with all applicable laws and regulations.
Event
Identification
• An event is an incident or occurrence emanating
from internal or external sources that affects
implementation and strategy or achievement of
objectives.
Risk Assessment and Risk Response
Reduce risk
Management can respond in four Accept risk
ways: Share risk
Avoid risk
Estimate Likelihood
and Impact
Identify Controls and
Estimate Cost and
Benefits
• Prevented controls are usually superior to
detective controls.
• Corrective controls help recover from any
problems.
• Detective Controls are essential for discovering
the problem.
• One way to estimate the value of internal
controls involves expected loss, the
mathematical product of impact and likelihood.
(Expected loss = Impact x Likelihood).
Control Activities
Control Activities are policies, procedures, and rules Management must make sure that:
that provide reasonable assurance that control
objectives are met and risk responses are carried out.
Segregation of duties
Segregation of
Recording – preparing source documents; entering data
into computer systems; maintaining journals, ledger,
files, or databases; and preparing reconciliations and
Department
This prevents collusion from happening. Collusion is a
cooperation between two or more people in an effort to
thwart internal controls.
Separation of
Duties
Segregation of System Duties
• Segregation of system duties – implementing control procedures to clearly divide
authority and responsibility within the information system function.
Division of System Duties
Network Management – person Change Management – process of
Security Management – people that
Systems administrator – person responsible for ensuring that applicable making sure changes are made smoothly
makes sure systems are secure and
responsible for making sure a system devices are linked to the organization’s and efficiently and do not negatively
protected from internal and external
operates smoothly and efficiently. networks and that networks operate affect systems reliability, security,
threats.
properly. confidentiality, integrity and availability.
Users – people who record transactions, Systems Analysis – people who help Programmers – people who take the
Computer Operators – People who
authorize data processing, and use users determine their information needs analyst’s design and develop, code, and
operate the company’s computers.
system output. and design systems to meet those needs. test computer programs.
Strategic master plan – A multiple-year plan that lays out the projects the
company must complete to achieve its long-range goals and the resources
needed to achieve the plan.
Project Development Project Milestones – points where progress is reviewed and actual and
and Acquisition estimated completion times are compared.
Controls Data processing schedule – a schedule that shows when each data
processing task should be performed.
Organizations modify existing systems to reflect new business practices and to take
advantage of IT advancements.
The proper design and use of electronic and paper documents and records helps ensure the
accurate and complete recording of all relevant transaction data. The form should be as
simple as possible, minimize errors and facilitate reviews.
Safeguard Assets, Records, and Data
Track purchased
Perform internal Implement Effective Use responsibility Monitor system
software and mobile
control evaluations Supervision accounting systems activities
devices
Employ a computer
Conduct periodic security officer and a Engage forensic Install fraud detection Implement a fraud
audits chief compliance specialists software hotline
officer